reflected xss in a javascript url with some characters blocked